Entry balancing and ACIs
In an entry-balancing deployment, access control instructions (ACIs) are still configured in the backend PingDirectory server data.
When defining access controls in an entry-balancing deployment, you must ensure that the data used by the access control rule is available for evaluation on all data sets.
If you use groups for access control and a group contains users from different data sets, then that group must exist on each data set. For a single ACI to apply to entries in all data sets, it must be specified above the entry-balancing point. For example, if an ACI allows access to modify users that are part of group 1, then two things must exist on both data sets:
-
Group 1 must exist in the
ou=groups
branch of both data sets. -
The ACI referencing group 1 must exist in the
ou=people
branch or above. Theou=people
branch entry itself is part of the common data.
The PingDirectoryProxy server ensures that any changes to entries within the scope of the entry-balancing request processor, but outside the balancing point, are applied to all backend server sets. Any ACI stored at the entry-balancing point is kept in sync if changes are made through the PingDirectoryProxy server.